馃帹 Design: Redesign show a similar "drawer" view on alert select
For the details of the issue please check out the linked epic in this issue
Why are we doing this work
- when a user is viewing alerts from the threat monitoring alert's tab, the table only gives them a limited amount of information
- a user will be able to click on an alert row in the table and a drawer will appear, which will give them more information
Research done related with this:
Main finding summary:
-
Is our assumptions correct: the smaller drawer is not good enough for users to consume the content
- Yes, this is confirmed, none of the users prefers the small drawer, 5 out of 6 think it is bad for reading and using
-
Which layout do users prefer the most?
- 4 out of 6 prefer the email layout, because they think it is easier to navigate, content is clear and bigger drawer is somehow feels unstable, easy to make mistakes, has extra steps etc.
- 2 out of 6 prefer the bigger drawer, the main reason they give is that this is similar to what they used to have, such as Microsoft defend or excel sheet
In my onion, the email layout is the best among the three, because most people prefer it and the reasons users give in on the layout/readability of the email layout itself instead of bigger drawer one is mainly a habit which could be changed if use a different product
-
Is the information hierarchy good for scanning?
- Yes, 6 out of 6 users think our detailed information in the email layout is easy to read and consume
I observed one thing, that users are looking for detailed information in the pattern of what is the source and destination information, such as source IP and destination IP. I think we can group the information better to help users. I will explain it more in the design issue update.
-
Create incident, change status are the primary actions a user needs and they are easy to find
- Create an incident, change status or assign to someone are major actions after the user confirm the alert is not false-positive and need further investigation or work with another team.
- The major action user does after confirming it is malicious is closing the network or activity and raising an incident at the same time or late
**Additional informative insights we found during the research**
- Manage alerts are those people鈥檚 major tasks, time spend on it depends on the team size and amount of alerts that came in, which could be 1-8 hours pre day.
- Most teams use status to track progress, they might use different terminology, such as close instead of dismissing, additional status such as engineer in review, testing etc.
- Everyone mentioned IP during the process of investigation of the alert, especially source IP, where does the event started, and they looked for additional info, such as geolocation, is the IP address appeared before in other alter, connect directly from our platform towards a lookup system. I have an issue created for it.
- Some users think integration is really necessary because they have a lot of other tools, they prefer to have one place to view everything.
Actionable insights please follow this epic and below are the issues:
馃帹 Design: bulk action for alerts management in threat management馃帹 Design: provide more statistic info for users about alerts馃帹 Design: tell the user whether is alert has shown up before or not馃帹 Design: tell user which rules triggered particular research馃帹 Design: provide different download format for alert details馃帹 Design: More information about Source IP馃帹 Design: notify user about threat monitor alerts馃帹 Design: allow user switch table view and email view馃帹 Design: give more details in documentation how we give the severity to the alerts
Related pajama effort
Details, please see gitlab-org/gitlab-services&9
Design:
- Figma: https://www.figma.com/file/jgka6sTKTZOMRaszkd272C/Alerts-management?node-id=722%3A3274
- Design screenshot see the area below